The Google Play Store has removed nine Android apps after it was discovered that they were stealing the login credentials of Facebook users.
According to Doctor Web’s malware security analysts have discovered malicious android apps on Google Play that steal Facebook users’ logins and passwords. These stealer malware were spread as harmless software and were installed more than 5,856,010 times.
In total, Dr. web cyber security specialists uncovered 10 of these malicious apps. Of them, 9 were available on Google Play:
- A photo-editing software called Processing Photo. It is detected by Dr.Web Anti-Virus as Android.PWS.Facebook.13 and was spread by the developer chikumburahamilton. It was installed over 500,000 times.
- Applications that enabled access limitations for using other software installed on Android devices: App Lock Keep from the developer Sheralaw Rence, App Lock Manager from the developer Implummet col, and Lockit Master from the developer Enali mchicolo―all detected as Android.PWS.Facebook.13. They were downloaded at least 50,000, 10 and 5,000 times respectively.
- Rubbish Cleaner from the developer SNT.rbcl―a utility to optimize the Android device performance. It was downloaded over 100,000 times. Dr.Web detects it as Android.PWS.Facebook.13.
- Astrology programs Horoscope Daily from the developer HscopeDaily momo and Horoscope Pi from the developer Talleyr Shauna, also detected as Android.PWS.Facebook.13. The former had more than 100,000 installs while the latter―more than 1,000 installs.
- A fitness program called Inwell Fitness, and detected as Android.PWS.Facebook.14 from the developer Reuben Germaine. It has more than 100,000 installs.
- An image editing app called PIP Photo that was spread by the developer Lillians. Its various versions are detected as Android.PWS.Facebook.17 and Android.PWS.Facebook.18. This app has over 5,000,000 downloads.
- Upon Doctor Web’s specialists report to Google, part of these malicious applications was removed from Google Play. However, at the time of this news release, some apps were still available for download.
These malware used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page https://www.facebook.com/login.php into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to highjack the entered login credentials.
After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.
Analysis of the malicious programs showed that they all received settings for stealing logins and passwords of Facebook accounts. However, the attackers could have easily changed the trojans’ settings and commanded them to load the web page of another legitimate service. They could have even used a completely fake login form located on a phishing site. Thus, the trojans could have been used to steal logins and passwords from any service.
What To Do ?
If you already installed these android apps, then you need to change your Facebook password immediately.
Moreover, also change the passwords for all those accounts that are identical to your Facebook password.
- PIP Photo: Approx 5.8 million downloads
- Processing Photo: Approx 500,000 downloads
- Rubbish Cleaner: Approx 100,000 downloads
- Inwell Fitness: Approx 100,000 downloads
- Horoscope Daily: Approx 100,000 downloads
- App Lock Keep: Approx 50,000 downloads
- Lockit Master: Approx 5,000 downloads
- Horoscope Pi: Approx 1,000 downloads
- App lock Manage: Approx 10 downloads
